: www.mailsbestfriend.com
Office: 866.919.2075
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Wednesday, August 12, 2015 6:39 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet addition suggestion
Here
In trying to capture DOC attachments, some one provided the following line a
while back:
BODY 0 PCRE (?i:filename=[a-z0-9-_ ]\.doc)
That was not working. After my fumbling around and testing, the correct line is
as follows:
BODY 0 PCRE (?i:filename=[a-z0-9-_ ]{1,100}\.doc)
Note the quotation
Thanks David.
A question, why is the following line in GAUNTLET? I realize it can have a high
hit rate but with the proliferation of malicious emails that are playing with
the encoding, shouldn't this line be removed?
BODYEND PCRE(?i:Content-Transfer-Encoding: base64)
-Original Message-
From: community@mailsbestfriend.com [mailto:community@mailsbestfriend.com] On
Behalf Of John Tolmachoff
Sent: Wednesday, August 12, 2015 6:39 PM
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet addition suggestion
Here are the lines added by SNIFFER:
X
If SNF has already triggered and scored the message there is no real reason to
move it to the GAUNTLET as it has already been identified, however you could
use a filter as you suggest below. Can you provide an actual line from a header
line you want to trigger on so I can validate the PCRE ?
and/or malicious, with the body being a
http link to a website.
-Original Message-
From: David Barker david.bar...@mailsbestfriend.com
Sent: Wednesday, August 12, 2015 2:01pm
To: community@mailsbestfriend.com
Subject: [MBF] Re: Gauntlet addition suggestion
If SNF has already triggered